283 matches found
Important: Red Hat Security Advisory: fence-agents security update
An update for fence-agents is now available for Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, i...
ROOT-APP-PYPI-CVE-2026-32597 CVE-2026-32597 in rootio-PyJWT - Patched by Root
Root has patched CVE-2026-32597 in the rootio-PyJWT package for Root:PyPI. Multiple fixed versions available...
ROOT-APP-PYPI-CVE-2026-48526 CVE-2026-48526 in rootio-pyjwt - Patched by Root
Root has patched CVE-2026-48526 in the rootio-pyjwt package for Root:PyPI. Multiple fixed versions available...
python-pyjwt: PyJWT: Authentication bypass due to forged JSON Web Tokens
A flaw was found in PyJWT, a Python library for JSON Web Token JWT implementation. When decoding JWTs, the library fails to validate the use of JSON Web Keys JWK in the HMAC algorithm while also supporting asymmetric algorithms. This allows a remote attacker to use the issuer's public key as the...
Oracle Linux 9 : fence-agents (ELSA-2026-19355)
The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2026-19355 advisory. - bundled PyJWT: upgrade to v2.13.0 to fix CVE-2026-48526 Resolves: RHEL-182313 - bundled pyasn1: fix CVE-2026-30922 Resolves: RHEL-157202 - bundled...
SUSE SLED15 / SLES15 Security Update : python-PyJWT (SUSE-SU-2026:2627-1)
The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2627-1 advisory. This update for python-PyJWT fixes the following issues - CVE-2026-48522: PyJWKClient passes URI arguments...
SUSE-SU-2026:2627-1 Security update for python-PyJWT
This update for python-PyJWT fixes the following issues - CVE-2026-48522: PyJWKClient passes URI arguments directly to urllib.request.urlopen and allows for SSRF and token forgery bsc1266798. - CVE-2026-48523: verifier-side algorithm allow-list bypass when jwt.decode or jwt.decodecomplete are...
Oracle Linux 9 : fence-agents (ELSA-2026-26206)
The remote Oracle Linux 9 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2026-26206 advisory. - bundled PyJWT: upgrade to v2.13.0 to fix CVE-2026-48526 Resolves: RHEL-182313 - bundled pyasn1: fix CVE-2026-30922 Resolves: RHEL-157202 - bundled...
SUSE-SU-2026:22220-1 Security update for python-PyJWT
This update for python-PyJWT fixes the following issues - CVE-2026-48522: PyJWKClient passes URI arguments directly to urllib.request.urlopen and allows for SSRF and token forgery bsc1266798. - CVE-2026-48523: verifier-side algorithm allow-list bypass when jwt.decode or jwt.decodecomplete are...
Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.0) is affected by insufficient verification of data authenticity in PyJWT
Summary IBM Cloud Pak for Data System CPDS 1.0 uses the PyJWT library, a JSON Web Token implementation in Python. CVE-2026-32597 affects PyJWT's validation of the crit Critical Header Parameter as defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT do...
RHEL 9 : fence-agents (RHSA-2026:26206)
The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2026:26206 advisory. The fence-agents packages provide a collection of scripts for handling remote power management for cluster devices. They allow failed or unreachable...
GHSA-W7VC-732C-9M39 PyJWT: Unauthenticated DoS via unbounded Base64URL decoding of unused payload segment in b64=false detached JWS
!NOTE Practical impact depends on whether request body-size limits are enforced upstream proxy/web-server/framework. Deployments with typical body-size caps ≤2 MB bound the amplifier significantly; deployments accepting larger token inputs are more exposed. When verifying detached JWS tokens usin...
PyJWT: Unauthenticated DoS via unbounded Base64URL decoding of unused payload segment in b64=false detached JWS
!NOTE Practical impact depends on whether request body-size limits are enforced upstream proxy/web-server/framework. Deployments with typical body-size caps ≤2 MB bound the amplifier significantly; deployments accepting larger token inputs are more exposed. When verifying detached JWS tokens usin...
PyJWT: Algorithm allow-list bypass when decoding with `PyJWK` / `PyJWKClient` keys
!NOTE Scored assuming a deployment where algorithm policy functions as an authentication/authorization boundary. In deployments where the algorithm policy enforces crypto agility only, the practical confidentiality impact is lower and the issue is closer to an integrity-of-policy-enforcement bug...
GHSA-JQ35-7PRP-9V3F PyJWT: Algorithm allow-list bypass when decoding with `PyJWK` / `PyJWKClient` keys
!NOTE Scored assuming a deployment where algorithm policy functions as an authentication/authorization boundary. In deployments where the algorithm policy enforces crypto agility only, the practical confidentiality impact is lower and the issue is closer to an integrity-of-policy-enforcement bug...
Important: Red Hat Security Advisory: fence-agents security update
An update for fence-agents is now available for Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability...
RHEL 9 : fence-agents (RHSA-2026:22330)
The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:22330 advisory. The fence-agents packages provide a collection of scripts for handling remote power management for cluster devices. They allow failed or...
RockyLinux 10 : fence-agents (RLSA-2026:19138)
The remote RockyLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:19138 advisory. pyjwt: PyJWT accepts unknown crit header extensions RFC 7515 ?4.1.11 MUST violation CVE-2026-32597 pyasn1: pyasn1 Vulnerable to Denial of Service via...
CVE-2026-48523
A flaw was found in PyJWT, a Python library for handling JSON Web Tokens JWT. An attacker with control over a registered JSON Web Key JWK private key can bypass security checks by signing a token with a forbidden algorithm while claiming to use an allowed one. This allows the attacker to have the...
CVE-2026-48525
A flaw was found in PyJWT. A remote attacker can exploit this by supplying an arbitrarily large Base64URL payload segment when verifying detached JSON Web Signature JWS tokens using the unencoded-payload option. This forces excessive CPU work and memory allocations, leading to a Denial of Service...